From 068145c539e128c0e97f725a31e7c1971936eb2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= Date: Fri, 6 Mar 2026 19:12:36 +0100 Subject: [PATCH] fix(ci): Refactor CI/CD workflow for AWS and image management Updated CI/CD workflow to improve AWS role handling and image tagging. --- .github/workflows/cicd.yml | 461 +++++++++++++++++++++++++++++-------- 1 file changed, 367 insertions(+), 94 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 8eb438b..815c400 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -57,11 +57,20 @@ jobs: name: Start AWS EC2 runners runs-on: ubuntu-latest permissions: write-all + outputs: + image_created: ${{ steps.created.outputs.image_created }} steps: + - name: Capture created timestamp (shared) + id: created + shell: bash + run: | + set -euo pipefail + echo "image_created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT" + - name: Configure AWS credentials (OIDC) uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} role-duration-seconds: 3600 aws-region: ${{ secrets.AWS_REGION }} @@ -81,7 +90,7 @@ jobs: if: github.event_name == 'workflow_dispatch' name: Prepare release (create tag) needs: [pre-run] - runs-on: [self-hosted, linux, x64, us-east-1] + runs-on: [self-hosted, linux, x64] permissions: contents: write steps: @@ -128,11 +137,14 @@ jobs: name: Build image (linux/amd64) needs: [pre-run, prepare] if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && needs.prepare.result == 'success')) }} - runs-on: [self-hosted, linux, x64, us-east-1] + runs-on: [self-hosted, linux, x64] timeout-minutes: 120 env: - DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }} + DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }} GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} + IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }} + IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }} + outputs: tag: ${{ steps.tag.outputs.tag }} is_rc: ${{ steps.tag.outputs.is_rc }} @@ -195,9 +207,29 @@ jobs: echo "MAJOR_TAG=$MAJOR" >> $GITHUB_ENV echo "MINOR_TAG=$MINOR" >> $GITHUB_ENV - - name: Capture created timestamp - run: echo "IMAGE_CREATED=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV + - name: Wait for tag to be visible (dispatch only) + if: ${{ github.event_name == 'workflow_dispatch' }} shell: bash + run: | + set -euo pipefail + for i in {1..90}; do + if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then + echo "Tag ${TAG} is visible on origin"; exit 0 + fi + echo "Tag not yet visible, retrying... ($i/90)" + sleep 2 + done + echo "Tag ${TAG} not visible after waiting" >&2 + exit 1 + + - name: Ensure repository is at the tagged commit (dispatch only) + if: ${{ github.event_name == 'workflow_dispatch' }} + shell: bash + run: | + set -euo pipefail + git fetch --tags --force + git checkout "refs/tags/${TAG}" + echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}" #- name: Set up QEMU # uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 @@ -240,6 +272,18 @@ jobs: tags: | ${{ env.GHCR_IMAGE }}:amd64-${{ env.TAG }} ${{ env.DOCKERHUB_IMAGE }}:amd64-${{ env.TAG }} + labels: | + org.opencontainers.image.title=${{ github.event.repository.name }} + org.opencontainers.image.version=${{ env.TAG }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.url=${{ github.event.repository.html_url }} + org.opencontainers.image.documentation=${{ github.event.repository.html_url }} + org.opencontainers.image.description=${{ github.event.repository.description }} + org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }} + org.opencontainers.image.created=${{ env.IMAGE_CREATED }} + org.opencontainers.image.ref.name=${{ env.TAG }} + org.opencontainers.image.authors=${{ github.repository_owner }} cache-from: type=gha,scope=${{ github.repository }}-amd64 cache-to: type=gha,mode=max,scope=${{ github.repository }}-amd64 @@ -250,11 +294,13 @@ jobs: name: Build image (linux/arm64) needs: [pre-run, prepare] if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && needs.prepare.result == 'success')) }} - runs-on: [self-hosted, linux, arm64, us-east-1] # NOTE: ensure label exists on runner + runs-on: [self-hosted, linux, arm64] # NOTE: ensure label exists on runner timeout-minutes: 120 env: - DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }} + DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }} GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} + IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }} + IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }} steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -291,8 +337,31 @@ jobs: echo "TAG=$TAG" >> $GITHUB_ENV + - name: Wait for tag to be visible (dispatch only) + if: ${{ github.event_name == 'workflow_dispatch' }} + shell: bash + run: | + set -euo pipefail + for i in {1..90}; do + if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then + echo "Tag ${TAG} is visible on origin"; exit 0 + fi + echo "Tag not yet visible, retrying... ($i/90)" + sleep 2 + done + echo "Tag ${TAG} not visible after waiting" >&2 + exit 1 + + - name: Ensure repository is at the tagged commit (dispatch only) + if: ${{ github.event_name == 'workflow_dispatch' }} + shell: bash + run: | + set -euo pipefail + git fetch --tags --force + git checkout "refs/tags/${TAG}" + echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}" + - name: Log in to Docker Hub - if: ${{ secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_ACCESS_TOKEN != '' }} uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: docker.io @@ -327,31 +396,86 @@ jobs: tags: | ${{ env.GHCR_IMAGE }}:arm64-${{ env.TAG }} ${{ env.DOCKERHUB_IMAGE }}:arm64-${{ env.TAG }} + labels: | + org.opencontainers.image.title=${{ github.event.repository.name }} + org.opencontainers.image.version=${{ env.TAG }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.url=${{ github.event.repository.html_url }} + org.opencontainers.image.documentation=${{ github.event.repository.html_url }} + org.opencontainers.image.description=${{ github.event.repository.description }} + org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }} + org.opencontainers.image.created=${{ env.IMAGE_CREATED }} + org.opencontainers.image.ref.name=${{ env.TAG }} + org.opencontainers.image.authors=${{ github.repository_owner }} cache-from: type=gha,scope=${{ github.repository }}-arm64 cache-to: type=gha,mode=max,scope=${{ github.repository }}-arm64 # --------------------------------------------------------------------------- - # 5) Create and push multi-arch manifests (TAG, plus optional latest/major/minor) + # 4b) Build ARMv7 image (linux/arm/v7) on arm runner via QEMU # --------------------------------------------------------------------------- - create-manifest: - name: Create multi-arch manifests - needs: [build-amd, build-arm] - if: ${{ needs.build-amd.result == 'success' && needs.build-arm.result == 'success' }} - runs-on: [self-hosted, linux, x64, us-east-1] # NOTE: ensure label exists on runner - timeout-minutes: 30 + build-armv7: + name: Build image (linux/arm/v7) + needs: [pre-run, prepare] + if: ${{ needs.pre-run.result == 'success' && ((github.event_name == 'push' && github.actor != 'github-actions[bot]') || (github.event_name == 'workflow_dispatch' && needs.prepare.result == 'success')) }} + runs-on: [self-hosted, linux, arm64] + timeout-minutes: 120 env: - DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }} + DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }} GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} - TAG: ${{ needs.build-amd.outputs.tag }} - IS_RC: ${{ needs.build-amd.outputs.is_rc }} - MAJOR_TAG: ${{ needs.build-amd.outputs.major }} - MINOR_TAG: ${{ needs.build-amd.outputs.minor }} - # workflow_dispatch controls are respected only here (tagging policy) - PUBLISH_LATEST: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_latest || vars.PUBLISH_LATEST }} - PUBLISH_MINOR: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_minor || vars.PUBLISH_MINOR }} + IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }} + IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }} steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + fetch-depth: 0 + + - name: Determine tag + validate format + shell: bash + env: + EVENT_NAME: ${{ github.event_name }} + INPUT_VERSION: ${{ inputs.version }} + run: | + set -euo pipefail + if [ "$EVENT_NAME" = "workflow_dispatch" ]; then + TAG="$INPUT_VERSION" + else + TAG="${{ github.ref_name }}" + fi + + if ! [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then + echo "Invalid tag: $TAG" >&2 + exit 1 + fi + + echo "TAG=$TAG" >> $GITHUB_ENV + + - name: Wait for tag to be visible (dispatch only) + if: ${{ github.event_name == 'workflow_dispatch' }} + shell: bash + run: | + set -euo pipefail + for i in {1..90}; do + if git ls-remote --tags origin "refs/tags/${TAG}" | grep -qE "refs/tags/${TAG}$"; then + echo "Tag ${TAG} is visible on origin"; exit 0 + fi + echo "Tag not yet visible, retrying... ($i/90)" + sleep 2 + done + echo "Tag ${TAG} not visible after waiting" >&2 + exit 1 + + - name: Ensure repository is at the tagged commit (dispatch only) + if: ${{ github.event_name == 'workflow_dispatch' }} + shell: bash + run: | + set -euo pipefail + git fetch --tags --force + git checkout "refs/tags/${TAG}" + echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}" + - name: Log in to Docker Hub - if: ${{ secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_ACCESS_TOKEN != '' }} uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: docker.io @@ -372,55 +496,124 @@ jobs: echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV" echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV" - - name: Create manifest for GHCR (:TAG) + - name: Set up QEMU + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + + - name: Build and push (arm/v7 -> *:armv7-TAG) + id: build_armv7 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + with: + context: . + push: true + platforms: linux/arm/v7 + tags: | + ${{ env.GHCR_IMAGE }}:armv7-${{ env.TAG }} + ${{ env.DOCKERHUB_IMAGE }}:armv7-${{ env.TAG }} + labels: | + org.opencontainers.image.title=${{ github.event.repository.name }} + org.opencontainers.image.version=${{ env.TAG }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.url=${{ github.event.repository.html_url }} + org.opencontainers.image.documentation=${{ github.event.repository.html_url }} + org.opencontainers.image.description=${{ github.event.repository.description }} + org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }} + org.opencontainers.image.created=${{ env.IMAGE_CREATED }} + org.opencontainers.image.ref.name=${{ env.TAG }} + org.opencontainers.image.authors=${{ github.repository_owner }} + cache-from: type=gha,scope=${{ github.repository }}-armv7 + cache-to: type=gha,mode=max,scope=${{ github.repository }}-armv7 + + # --------------------------------------------------------------------------- + # 5) Create and push multi-arch manifests (TAG, plus optional latest/major/minor) + # --------------------------------------------------------------------------- + create-manifest: + name: Create multi-arch manifests + needs: [build-amd, build-arm, build-armv7] + if: ${{ needs.build-amd.result == 'success' && needs.build-arm.result == 'success' && needs.build-armv7.result == 'success' }} + runs-on: [self-hosted, linux, x64] # NOTE: ensure label exists on runner + timeout-minutes: 30 + env: + DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }} + GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} + TAG: ${{ needs.build-amd.outputs.tag }} + IS_RC: ${{ needs.build-amd.outputs.is_rc }} + MAJOR_TAG: ${{ needs.build-amd.outputs.major }} + MINOR_TAG: ${{ needs.build-amd.outputs.minor }} + # workflow_dispatch controls are respected only here (tagging policy) + #PUBLISH_LATEST: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_latest || vars.PUBLISH_LATEST }} + #PUBLISH_MINOR: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_minor || vars.PUBLISH_MINOR }} + steps: + - name: Log in to Docker Hub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + + - name: Log in to GHCR + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Normalize image names to lowercase shell: bash run: | set -euo pipefail - docker manifest create "${GHCR_IMAGE}:${TAG}" \ - --amend "${GHCR_IMAGE}:amd64-${TAG}" \ - --amend "${GHCR_IMAGE}:arm64-${TAG}" - docker manifest push "${GHCR_IMAGE}:${TAG}" + echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV" + echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV" - - name: Create manifest for Docker Hub (:TAG) - if: ${{ secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_ACCESS_TOKEN != '' }} + - name: Set up Docker Buildx (needed for imagetools) + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + + - name: Create & push multi-arch index (GHCR :TAG) via imagetools shell: bash run: | set -euo pipefail - docker manifest create "${DOCKERHUB_IMAGE}:${TAG}" \ - --amend "${DOCKERHUB_IMAGE}:amd64-${TAG}" \ - --amend "${DOCKERHUB_IMAGE}:arm64-${TAG}" - docker manifest push "${DOCKERHUB_IMAGE}:${TAG}" + docker buildx imagetools create \ + -t "${GHCR_IMAGE}:${TAG}" \ + "${GHCR_IMAGE}:amd64-${TAG}" \ + "${GHCR_IMAGE}:arm64-${TAG}" \ + "${GHCR_IMAGE}:armv7-${TAG}" - # Optional tags for non-RC releases: latest, major, minor - - name: Publish additional tags (non-RC only) + - name: Create & push multi-arch index (Docker Hub :TAG) via imagetools + shell: bash + run: | + set -euo pipefail + docker buildx imagetools create \ + -t "${DOCKERHUB_IMAGE}:${TAG}" \ + "${DOCKERHUB_IMAGE}:amd64-${TAG}" \ + "${DOCKERHUB_IMAGE}:arm64-${TAG}" \ + "${DOCKERHUB_IMAGE}:armv7-${TAG}" + + # Additional tags for non-RC releases: latest, major, minor (always) + - name: Publish additional tags (non-RC only) via imagetools if: ${{ env.IS_RC != 'true' }} shell: bash run: | set -euo pipefail - tags_to_publish=() - tags_to_publish+=("${MAJOR_TAG}") - if [ "${PUBLISH_MINOR}" = "true" ]; then - tags_to_publish+=("${MINOR_TAG}") - fi - if [ "${PUBLISH_LATEST}" = "true" ]; then - tags_to_publish+=("latest") - fi + tags_to_publish=("${MAJOR_TAG}" "${MINOR_TAG}" "latest") for t in "${tags_to_publish[@]}"; do echo "Publishing GHCR tag ${t} -> ${TAG}" - docker manifest create "${GHCR_IMAGE}:${t}" \ - --amend "${GHCR_IMAGE}:amd64-${TAG}" \ - --amend "${GHCR_IMAGE}:arm64-${TAG}" - docker manifest push "${GHCR_IMAGE}:${t}" + docker buildx imagetools create \ + -t "${GHCR_IMAGE}:${t}" \ + "${GHCR_IMAGE}:amd64-${TAG}" \ + "${GHCR_IMAGE}:arm64-${TAG}" \ + "${GHCR_IMAGE}:armv7-${TAG}" - if [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ] && [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ]; then - echo "Publishing Docker Hub tag ${t} -> ${TAG}" - docker manifest create "${DOCKERHUB_IMAGE}:${t}" \ - --amend "${DOCKERHUB_IMAGE}:amd64-${TAG}" \ - --amend "${DOCKERHUB_IMAGE}:arm64-${TAG}" - docker manifest push "${DOCKERHUB_IMAGE}:${t}" - fi + echo "Publishing Docker Hub tag ${t} -> ${TAG}" + docker buildx imagetools create \ + -t "${DOCKERHUB_IMAGE}:${t}" \ + "${DOCKERHUB_IMAGE}:amd64-${TAG}" \ + "${DOCKERHUB_IMAGE}:arm64-${TAG}" \ + "${DOCKERHUB_IMAGE}:armv7-${TAG}" done # --------------------------------------------------------------------------- @@ -430,22 +623,29 @@ jobs: name: Sign, attest, and release needs: [create-manifest, build-amd] if: ${{ needs.create-manifest.result == 'success' && needs.build-amd.result == 'success' }} - runs-on: [self-hosted, linux, x64, us-east-1] # NOTE: ensure label exists on runner + runs-on: [self-hosted, linux, x64] # NOTE: ensure label exists on runner timeout-minutes: 120 env: - DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }} + DOCKERHUB_IMAGE: docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }} GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} TAG: ${{ needs.build-amd.outputs.tag }} IS_RC: ${{ needs.build-amd.outputs.is_rc }} + IMAGE_LICENSE: ${{ github.event.repository.license.spdx_id || 'NOASSERTION' }} + IMAGE_CREATED: ${{ needs.pre-run.outputs.image_created }} steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 - - name: Capture created timestamp - run: echo "IMAGE_CREATED=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV + - name: Ensure repository is at the tagged commit (dispatch only) + if: ${{ github.event_name == 'workflow_dispatch' }} shell: bash + run: | + set -euo pipefail + git fetch --tags --force + git checkout "refs/tags/${TAG}" + echo "Checked out $(git rev-parse --short HEAD) for tag ${TAG}" - name: Install Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 @@ -453,7 +653,6 @@ jobs: go-version-file: go.mod - name: Log in to Docker Hub - if: ${{ secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_ACCESS_TOKEN != '' }} uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: docker.io @@ -474,26 +673,54 @@ jobs: echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV" echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV" + - name: Ensure jq is installed + shell: bash + run: | + set -euo pipefail + if command -v jq >/dev/null 2>&1; then + exit 0 + fi + sudo apt-get update -y + sudo apt-get install -y jq + + - name: Set up Docker Buildx (needed for imagetools) + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - name: Resolve multi-arch digest refs (by TAG) shell: bash run: | set -euo pipefail - GHCR_DIGEST="$(docker buildx imagetools inspect "${GHCR_IMAGE}:${TAG}" --format '{{.Manifest.Digest}}')" - echo "GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}" >> $GITHUB_ENV - echo "Resolved GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}" - if [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ] && [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ]; then - DH_DIGEST="$(docker buildx imagetools inspect "${DOCKERHUB_IMAGE}:${TAG}" --format '{{.Manifest.Digest}}')" - echo "DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}" >> $GITHUB_ENV - echo "Resolved DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}" - fi - - name: Extract digests for attestation - shell: bash - run: | - set -euo pipefail - echo "GHCR_DIGEST=${GHCR_REF#*@}" >> $GITHUB_ENV - if [ -n "${DH_REF:-}" ]; then - echo "DH_DIGEST=${DH_REF#*@}" >> $GITHUB_ENV + get_digest() { + local ref="$1" + local d="" + # Primary: buildx format output + d="$(docker buildx imagetools inspect "$ref" --format '{{.Manifest.Digest}}' 2>/dev/null || true)" + + # Fallback: parse from plain text if format fails + if ! [[ "$d" =~ ^sha256:[0-9a-f]{64}$ ]]; then + d="$(docker buildx imagetools inspect "$ref" 2>/dev/null | awk '/^Digest:/ {print $2; exit}' || true)" + fi + + if ! [[ "$d" =~ ^sha256:[0-9a-f]{64}$ ]]; then + echo "ERROR: Could not extract digest for $ref" >&2 + docker buildx imagetools inspect "$ref" || true + exit 1 + fi + + echo "$d" + } + + GHCR_DIGEST="$(get_digest "${GHCR_IMAGE}:${TAG}")" + echo "GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}" >> "$GITHUB_ENV" + echo "GHCR_DIGEST=${GHCR_DIGEST}" >> "$GITHUB_ENV" + echo "Resolved GHCR_REF=${GHCR_IMAGE}@${GHCR_DIGEST}" + + if [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ] && [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ]; then + DH_DIGEST="$(get_digest "${DOCKERHUB_IMAGE}:${TAG}")" + echo "DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}" >> "$GITHUB_ENV" + echo "DH_DIGEST=${DH_DIGEST}" >> "$GITHUB_ENV" + echo "Resolved DH_REF=${DOCKERHUB_IMAGE}@${DH_DIGEST}" fi - name: Attest build provenance (GHCR) (digest) @@ -509,7 +736,7 @@ jobs: if: ${{ env.DH_DIGEST != '' }} uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 with: - subject-name: index.docker.io/fosrl/${{ github.event.repository.name }} + subject-name: index.docker.io/${{ github.repository_owner }}/${{ github.event.repository.name }} subject-digest: ${{ env.DH_DIGEST }} push-to-registry: true show-summary: true @@ -529,11 +756,12 @@ jobs: cosign public-key --key env://COSIGN_PRIVATE_KEY >/dev/null - name: Generate SBOM (SPDX JSON) from GHCR digest - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2 with: image-ref: ${{ env.GHCR_REF }} format: spdx-json output: sbom.spdx.json + version: v0.69.3 - name: Validate + minify SBOM JSON shell: bash @@ -567,6 +795,22 @@ jobs: --predicate sbom.spdx.json \ "${GHCR_REF}" + - name: Create SBOM attestation (Docker Hub, key) + continue-on-error: true + env: + COSIGN_YES: "true" + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_DOCKER_MEDIA_TYPES: "1" + shell: bash + run: | + set -euo pipefail + cosign attest \ + --key env://COSIGN_PRIVATE_KEY \ + --type spdxjson \ + --predicate sbom.spdx.json \ + "${DH_REF}" + - name: Keyless sign & verify GHCR digest (OIDC) env: COSIGN_YES: "true" @@ -596,6 +840,46 @@ jobs: run: cosign verify-attestation --key env://COSIGN_PUBLIC_KEY --type spdxjson "${GHCR_REF}" -o text shell: bash + - name: Sign Docker Hub digest (key, recursive) + continue-on-error: true + env: + COSIGN_YES: "true" + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_DOCKER_MEDIA_TYPES: "1" + shell: bash + run: | + set -euo pipefail + cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${DH_REF}" + + - name: Keyless sign & verify Docker Hub digest (OIDC) + continue-on-error: true + if: ${{ env.DH_REF != '' }} + env: + COSIGN_YES: "true" + ISSUER: https://token.actions.githubusercontent.com + COSIGN_DOCKER_MEDIA_TYPES: "1" + shell: bash + run: | + set -euo pipefail + cosign sign --rekor-url https://rekor.sigstore.dev --recursive "${DH_REF}" + cosign verify \ + --certificate-oidc-issuer "${ISSUER}" \ + --certificate-identity "https://github.com/${{ github.workflow_ref }}" \ + "${DH_REF}" -o text + + - name: Verify signature (public key) Docker Hub digest + tag + continue-on-error: true + if: ${{ env.DH_REF != '' }} + env: + COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} + COSIGN_DOCKER_MEDIA_TYPES: "1" + shell: bash + run: | + set -euo pipefail + cosign verify --key env://COSIGN_PUBLIC_KEY "${DH_REF}" -o text + cosign verify --key env://COSIGN_PUBLIC_KEY "${DOCKERHUB_IMAGE}:${TAG}" -o text + - name: Build binaries env: CGO_ENABLED: "0" @@ -624,29 +908,18 @@ jobs: # --------------------------------------------------------------------------- # 7) Stop AWS EC2 runner instances # --------------------------------------------------------------------------- + post-run: name: Stop AWS EC2 runners - needs: [pre-run, prepare, build-amd, build-arm, create-manifest, sign-and-release] - if: >- - ${{ - always() && - (needs.pre-run.result == 'success' && - (needs.build-amd.result == 'success' || needs.build-amd.result == 'failure' || needs.build-amd.result == 'cancelled') || - needs.build-amd.result != 'skipped') && - (needs.build-arm.result == 'success' || needs.build-arm.result == 'failure' || needs.build-arm.result == 'cancelled') || - needs.build-arm.result != 'skipped') && - (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'failure' || needs.create-manifest.result == 'cancelled') || - needs.create-manifest.result != 'skipped') && - (needs.sign-and-release.result == 'success' || needs.sign-and-release.result == 'failure' || needs.sign-and-release.result == 'cancelled') || - needs.sign-and-release.result != 'skipped') - }} + needs: [pre-run, prepare, build-amd, build-arm, build-armv7, create-manifest, sign-and-release] + if: ${{ always() && needs.pre-run.result == 'success' }} runs-on: ubuntu-latest permissions: write-all steps: - name: Configure AWS credentials (OIDC) uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} role-duration-seconds: 3600 aws-region: ${{ secrets.AWS_REGION }}